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DETAILED ACTION 
Response to Amendment 

1 . This action is in response to the amendment filed 07/30/2004. Claims 1 0 and 24 
have been amended, claims 28-29 have been canceled. The specification has also 
been amended. 

Response to Arguments 

2. Applicant's arguments, see page 10, 2 nd paragraph, filed 07/30/2004, with 
respect to the rejection of claim 12 under 35 USC 112, 2 nd paragraph has been fully 
considered and are persuasive. The rejection of claim 12 has been withdrawn. 

3. Applicant's arguments filed 07/30/2004, with respect to the rejections of claims 1- 
27 under 35 USC 103, have been fully considered but they are not persuasive. 

Regarding claim 1 , Applicant argues that Attwood does not disclose preventing a 
connection under certain conditions (page 11, line 10 from the bottom). Attwood does 
teach that a TCP packet is part of a connection and TCP packets will not be transmitted 
if a security association cannot be determined at the IP layer (col. 8, lines 57-59; col. 9, 
lines 30-50). 

Regarding claims 10 and 17, Applicant argues that Attwood does not teach 
preventing data from being transmitted in the absence of a defined security association 
(page 12) or a network interceptor insures a security association is in place before 
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allowing network traffic to flow (page 13). Attwood discloses that data will not be 
transmitted without a defined security association (col. 9, lines 30-50). 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 1-27 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Attwood et al (6,347,376) in view of Nikander et al (6,252,321 ). 

a. Regarding claims 1 and 20, Attwood disclose a method comprising: 
monitoring application socket requests (col. 3, lines 34-40; col. 8, lines 57-59); 
requesting a TCP connection by an application (col. 3, lines 34-40; col. 8, lines 
57-59); 

determining if there is security rule information binding, which meets the limitation 
of an active security association, that exists to protect network flow associated with the 
connection request (fig. 11, step 1102 and col. 3, lines 34-38); 

preventing the connection request from proceeding if no active security 
association exists to protect the network flow (fig. 11, steps 1 108, 1 112; col. 8, lines 57- 
59; col. 9, lines 30-50); 
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determining if a security policy exists for the network flow if no active security 
association exists to protect the network flow (fig. 1 1 ; steps 1 108, 1112; fig. 8, steps 
802-818); 

allowing the connection request to proceed if one of the active security 
association exists (fig. 11, step 1110; fig. 8, step 826). 

The Attwood reference does not disclose whether the security association for 
each security policy is manually configured or dynamically negotiated, and therefore, 
does not disclose the step of alerting a security association negotiation component to 
initiate negotiation for a security association based on the security policy if the security 
policy exists for the network flow, and using the security association established from 
the negotiation in the step of allowing the connection request to proceed. Nikander 
discloses a key manager using the ISAKMP/Oakley protocol, which meets the limitation 
of the security association negotiation component; and the step of a policy manager 
alerting the key manager to negotiate a security association for a connection based on 
the security policy when the first packet is examined (col. 4, lines 38-40; col. 5, lines 33- 
40; col. 6, lines 33-37). It would have been obvious to one of ordinary skill in the art at 
the time the invention was made modify the method of Attwood to use a security 
association negotiation component, a policy manager, and to include the step of alerting 
a security association negotiation component to initiate negotiation for a security 
association based on the security policy, as suggested by Nikandar, so that a security 
association can be negotiated as needed for IPsec processing. 
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b. Regarding claims 2 and 21 , the security association negotiation 
components in those claims use the ISAKMP/Oakley protocol, which meets the 
limitation of the IKE component. 

c. Regarding claims 3 and 23, Attwood further discloses that the active 
security association and the security association are based on at least one of a source 
IP address, a destination IP address, a protocol, a source port, and a destination port 
(col. 6, lines 13-18). 

d. Regarding claim 4, Attwood further discloses that the protocol comprises 
one of TCP, UDP, ICMP, and IGMP (col. 6, lines 22-23). 

e. Regarding claim 5, it is interpreted as "determining if the network flow can 
be allowed if the packet matches a filter in which the corresponding action states to 
allow the traffic to flow in the clear" (see fig. 3, step S19; and page 1 1 , lines 2-5). 
Attwood further discloses that a packet is allowed if IPSEC is not required (fig. 8, step 
812). 

f. Regarding claim 6, Attwood further discloses retrieving the security 
association from a database (col. 6, lines 40-42). 

g. Regarding claim 7, Attwood further discloses that the database contains 
mapping between network flow information and security associations (fig. 5). 

h. Regarding claim 8, Attwood further discloses that the network flow 
information comprises at least one of a source IP address, a destination IP address, a 
protocol, a source port, and a destination port (col. 6, lines 13-18). 
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L Regarding claim 9, Attwood further discloses retrieving the security policy 
from a database (fig. 5). 

j. Regarding claims 10-12 and 24-26, Attwood disclose a method 
comprising: 

monitoring application socket requests (col. 12, lines 7-12); 

requesting transmission of UDP data on a socket by an application (col. 12, lines 

7-12); 

determining if the socket has been associated with a security rule information 
binding, which meets the limitation of an active security association (col. 4, lines 4-17 
and fig. 13, step 1302); 

determining if there is a defined security association that may be used to protect 
the network flow if the socket has not been associated with any active security 
association (fig. 13, steps 1308, 1312; fig. 8, steps 802-818); 

preventing the UDP data from being sent if there is no defined security 
association that may be used to protect the network flow (fig. 13, steps 1308, 1312; col. 
8, lines 57-59; col. 9, lines 30-50); 

allowing the UDP data to be sent (fig. 13, step 1310; fig. 8, step 826). 

Attwood does not disclose the steps of: determining what security policy should 
be used when negotiating a security association for the network flow if there is no 
defined security association that may be used to protect the network flow; alerting a 
security association negotiation component to initiate negotiation for a security 
association using security parameters specified by the security policy if the security 
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policy exists for the network flow; and establishing the security association. Nikander 
discloses a policy manager, the policy manager determining what security policy should 
be used when negotiating a security association for the network flow if there is no 
defined security association that may be used to protect the network flow (col. 4, lines 
60-64; col. 6, lines 26-32); a key manager using the ISAKMP/Oakley protocol, which 
meets the limitation of the security association negotiation component; and the step of a 
policy manager alerting the key manager to negotiate a security association using 
security parameters specified by the security policy and establishing the security 
association (col. 4, lines 38-40; col. 5, lines 33-40; col. 6, lines 60-67). It would have 
been obvious to one of ordinary skill in the art at the time the invention was made 
modify the method of Attwood to use a policy manager and a key manager, and to 
include the steps of determining what security policy should be used when negotiating a 
security association for the network flow if there is no defined security association that 
may be used to protect the network flow; alerting a security association negotiation 
component to initiate negotiation for a security association using security parameters 
specified by the security policy if the security policy exists for the network flow; and 
establishing the security association, as suggested by Nikandar. The motivation for 
doing so would have been to negotiate and establish a security association as needed 
for IPsec processing. Accordingly, once the security association is established, the 
UDP data is processed according to the established security association and 
transmitted. 
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k. Regarding claim 1 3, Attwood further discloses that the second determining 
comprises comparing filters with at least one of a source IP address, a destination IP 
address, a source port, and a destination port related to the network flow (col. 6, lines 
13-18). 

I. Regarding claim 14, Attwood further discloses that each filter comprises at 
least one of a source IP address, a destination IP address, a protocol, a source port, 
and a destination port (col. 6, lines 13-18). 

m. Regarding claim 1 5, Attwood further discloses that the security policy 
comprises one filter (fig. 5). 

n. Regarding claim 16, it is interpreted as "determining if the packet can be 
allowed to be transferred in the clear without a security association" (see fig. 5, step 
S34; and page 12, lines 3-5). Attwood further discloses that a packet is allowed if 
IPSEC is not required (fig. 8, step 812). 

o. Regarding claim 17 the limitation "a network unit" in the second line of the 
claim is interpreted as "a communicating peer" (see page 2, lines 17-18). Attwood 
discloses a computing device comprising: 

a network interceptor, the network interceptor monitoring an application's socket 
request (col. 3, lines 34-40; col. 8, lines 57-59; col. 12, lines 7-12); 

a security association database operably connected to the network interceptor, 
the security association database containing a mapping of network flow information to 
security association information (col. 6, lines 40-42); 
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a security policy database operably connected to the network interceptor, the 
security policy database containing policies that describe parameters that are to be 
used in a negotiation of a security association (fig. 5); 

an Internet Protocol security packet classifier, the IPsec packet classifier 
responsible for performing IPsec processing on incoming and outgoing packets (fig. 8), 

Wherein the network interceptor insures that a security association is in place 
before allowing network traffic to flow between the application and the network unit 
(figure 11; col. 8, lines 57-59; col. 9, lines 30-50). 

Attwood does not disclose a security association negotiation component operably 
connected to the network interceptor, the security association negotiation component 
capable of negotiating a security association with a network unit. Nikander discloses a 
key manager component using the ISAKMP/Oakley protocol, which meets the limitation 
of the security association negotiation component; the key manager component capable 
of negotiating a security association with a network unit (col. 4, lines 38-40; col. 5, lines 
33-40). It would have been obvious to one of ordinary skill in the art at the time the 
invention was made modify the device of Attwood to include a security association 
negotiation component capable of negotiating a security association with a network unit, 
as suggested by Nikandar, so that a security association can be negotiated as needed 
for IPsec processing. 

p. Regarding claim 1 8, Attwood further discloses that the network flow 
information comprises at least one of an IP addresses, protocol, ports (col. 6, lines 13- 
18). 
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q. Regarding claim 19, the security association negotiation component in 
claim 17 uses the ISAKMP/Oakley protocol, which meets the limitation of the IKE 
component. 

r. Regarding claim 22, Attwood does not disclose negotiating for a security 
association using security parameters specified by a policy. Nikandar discloses that the 
key manager component negotiates for a security association using security parameters 
specified by a policy (col. 5, lines 33-37; col. 6, lines 60-67). It would have been 
obvious to one of ordinary skill in the art at the time the invention was made modify the 
method of Attwood to include negotiating for a security association using security 
parameters specified by a policy, as suggested by Nikandar, so that security 
associations can be correctly negotiated as required by security policies. 

s. Regarding claim 27, Attwood does not disclose that the active security 
association comprises a security parameter index (col. 6, lines 40-42), which comprises 
at least one of a source IP address, a destination IP address, a protocol, a source port, 
and a destination port. 

Conclusion 

6. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
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mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Minh Dinh whose telephone number is 571-272-3802. 
The examiner can normally be reached on Mon-Fri: 10:00am-6:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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